From 8dc71c176c380b6ff84accea41df2167fd965fc2 Mon Sep 17 00:00:00 2001 From: cmckee786 Date: Sat, 5 Apr 2025 20:56:23 -0400 Subject: [PATCH] fix: fixup some cmds and links add: download section with .txt's and .doc's fix: code blocks malformed from copy paste fix: malformed command fix: add .txt for u2_lab fixed: malformed .txt output --- src/assets/downloads/u2/u2_lab.txt | 131 +++++++++++++++++++++++++++++ 1 file changed, 131 insertions(+) create mode 100644 src/assets/downloads/u2/u2_lab.txt diff --git a/src/assets/downloads/u2/u2_lab.txt b/src/assets/downloads/u2/u2_lab.txt new file mode 100644 index 0000000..a5c46fd --- /dev/null +++ b/src/assets/downloads/u2/u2_lab.txt @@ -0,0 +1,131 @@ +Unit 2 Lab – Network Standards and +Compliance + +Required Materials + +Putty or other connection tool Lab Server +Root or sudo command access +STIG Viewer 2.18 (download from https://public.cyber.mil/stigs/downloads/ ) + + +EXERCISES (Warmup to quickly run through your system and familiarize yourself) + +1. sysctl -a | grep -i ipv4 | grep -i forward + 1. Does this system appear to be set to forward? Why or why not? +2. sysctl -a | grep -i ipv4 | grep -i martian + 1. What are martians and is this system allowing them? +3. sysctl -a | grep -i panic + 1. How does this system handle panics? +4. sysctl -a | grep -i crypto + 1. What are the settings you see? Is FIPS enabled? +5. cat /proc/cmdline +6. fips-mode-setup --check +7. sestatus +8. cat /etc/selinux/config + 1. What information about the security posture of the system can you see here? + 1. Can you verify SELINUX status? + 2. Can you verify FIPS status? + +PreLAB + +Download the STIG Viewer 2.18 from - https://public.cyber.mil/stigs/downloads/ +Download the STIG for RHEL 9 and the import it into your STIG viewer +Create a checklist from the opened STIG for RHEL 9 + +LAB + +This lab is designed to have the engineer practice securing a Linux server or service against a set of configuration standards. These standards are sometimes called benchmarks, checklists, or guidelines. The engineer will be using STIG Viewer 2.18 to complete this lab. + +Network Service configuration: + +1. Connect to a hammer server +2. Filter by ipv4 and see how many STIGS you have. +3. Examine STIG V-257957 + 1. What is the problem? + 2. What is the fix? + 3. What type of control is being implemented? +4. Is it set properly on your system? + 1. sysctl -a | grep -i ipv4 | grep -i syncookies + 2. Can you remediate this finding? + +In this case it’s already correctly set. + +But if we needed to, we would set that value in /etc/sysctl.d/00- remediate.conf +And then reload sysctl with `sysctl --system` + +5. Check and remediate V-257958 STIG + 1. What is the problem? + 2. What is the fix? + 3. What type of control is being implemented? + 4. Is it set properly on your system? + 5. How would you go about remediating this on your system? + +6. Check and remediate V-257960 and V-257961 STIGs + 1. What is the problem? How are they related? + 2. What is the fix? + 3. What type of control is being implemented? + 4. Is it set properly on your system? +7. Filter by firewall + 1. How many STIGS do you see? + 2. What do these STIGS appear to be trying to do? What types of controls are they? + + +Firewall port exposure + +Your team needs to use node_exporter with Prometheus to allow scraping of system information back to your network monitoring solution. You are running a firewall, so you need to expose the port that node_exporter runs on to the network outside of your system. + +7. Expose a network port through your firewall + 1. Verify that your firewall is running systemctl status firewalld + 2. Verify that your firewall has the service defined firewall-cmd --get-services | grep -i node +ls /usr/lib/firewalld/services | grep -i node + 3. Verify that the service is not currently enabled for node_exporter firewall-cmd --list-services + 4. Examine the structure of the firewall .xml file +cat /usr/lib/firewalld/services/prometheus-node-exporter.xml + 5. Enable the service through your firewall +firewall-cmd --permanent --add-service=prometheus-node-exporter firewall-cmd --reload + 6. Verify that the service is currently enabled for node_exporter firewall-cmd --list-services + +Automate STIG remediation on a system + +There are many options and the STIG remediation steps are well known. Here the learner will examine a few ways to generate Ansible and Shell fixes to your system. Then one can apply all of them, or just +some of them. This is the real value of a security engineer focused Linux engineer, the tradeoff between security and productivity. + +8. Download and extract a STIG remediation tool + +cd /root mkdir stigs cd stigs +wget -O U_RHEL_9_V2R3_STIG_Ansible.zip https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R3_STIG_Ansible.zip +unzip U_RHEL_9_V2R3_STIG_Ansible.zip +mkdir ansible +cp rhel9STIG-ansible.zip ansible/ +cd ansible +unzip rhel9STIG-ansible.zip + + +9. Examine the default values for stigs + +vim /root/stigs/ansible/roles/rhel9STIG/defaults/main.yml + +Search for a few of the STIG numbers you used earlier and see their default values. + #use /257784 to search + +10. Examine the playbook to see how those are applied in a running system. + +vim /root/stigs/ansible/roles/rhel9STIG/tasks/main.yml + +#use /257784 to search for the STIG from above and see how it is fixed in the playbook. + +11. Create an Ansible playbook from openscap. + +dnf -y install openscap-scanner openscap-utils openscap-scanner scap-security-guide + +#Generate the Ansible +oscap xccdf generate fix --profile ospp --fix-type ansible /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > draft-disa-remediate.yml + +#Examine the file +vim draft-disa-remediate.yml + +#Generate a BASH version +oscap xccdf generate fix --profile ospp --fix-type bash /usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml > draft-disa-remediate.sh + +#Examine the file +vim draf-disa-remediate.sh \ No newline at end of file